What just happened? A series of critical security flaws in Copeland's refrigeration controllers, deployed in supermarkets and cold storage facilities worldwide, has exposed the food supply chain to potential cyber threats capable of widespread disruption. The vulnerabilities, identified as Frostbyte10, affect Copeland's E2 and E3 control systems, which regulate temperatures for essential assets from walk-in freezers to HVAC units and building lighting systems.
Copeland, a major provider of climate and industrial technology operating in over 40 countries, counts grocery giants such as Kroger, Albertsons, and Whole Foods among its clients. According to Copeland's vice president of software, Josh Weaver, about two-thirds of grocery stores in North America use its products, significantly raising the stakes for any security lapse. "Not all of those are in scope for what we're talking about today, to be clear. But you and your readers, more likely than not, have stepped foot into the stores that we support," Weaver told The Register.
The vulnerabilities came to light after security researchers at Armis Labs, led by Shaul Garbuz and Alon Cohen, discovered unusual behavior while testing Copeland controllers at a large retailer. "It started with us accidentally crashing one of the devices – this is one of the vulnerabilities – by communicating with it in an incorrect way. And then we started digging in," Garbuz said.
Their investigation revealed 10 interconnected flaws, ranging from weak authentication to privilege escalation, some of which could be exploited to execute remote code with full administrative privileges.
Of the discovered flaws, three were classified as critical in severity. One, CVE-2025-6519, involved a default admin user account ("ONEDAY") with a predictable, date-based password that is regenerated daily. This administrative password, intended to facilitate maintenance by contractors, effectively undermined the security of the entire system, as the credentials could be generated by anyone familiar with the pattern. "The customers asked us to give them repeatable passwords, which is generally a no-no in the security industry," Weaver said. "This almost goes to a philosophical question: if a customer is specifically asking you to do something … but it's not the most secure way to access their product, should you try to correct them?" Copeland has since eliminated the use of predictable passwords in its systems.

Another serious issue, CVE-2025-52549, allows attackers to generate the root Linux password after each device boot by exploiting known or easily obtainable parameters. Combined with the administrative flaw, attackers could assume full control of affected devices, modify system settings, and lock out legitimate users. "That's enough to disturb the operations of the facility," Garbuz said. "You can remove other users. You can prevent access for other humans from using the machine. You can update the firmware for the device and give it a malicious firmware. You can run code on the device. This is pretty much maximum control over the device."
While Copeland's E2 controller reached end-of-life last October, older devices remain in circulation and are especially susceptible due to their use of unencrypted proprietary protocols, which made reverse engineering straightforward for researchers. "Once we understood the protocol, we could do pretty much whatever we want – override files, run code," Garbuz said. Meanwhile, nine other vulnerabilities exist in E3 units running firmware versions earlier than 2.31F01.
Copeland responded to Armis's report by releasing firmware updates for both E2 and E3 controllers, with the new E3 firmware version 2.31F01 addressing all identified issues. Affected customers are strongly encouraged to upgrade immediately.
Although there is no evidence the vulnerabilities have been exploited in the wild so far, experts caution that systems of this scale are natural targets for both state-sponsored attackers seeking to disrupt food supplies and criminal gangs aiming to extort businesses for quick ransoms. "Attackers go after the targets that would generate the most revenue or advantage," said Nadir Izrael, co-founder and CTO of Armis. "If I can hold for ransom, something where the business loses money every second that goes by, that's what I'm targeting. For retailers: their supplies, their food, everything that's being held in that fashion is absolutely a target."